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(54) Tide: METHOD FOR SIGNATURE SPLITTING TO PROTECT PRIVATE KEYS 
(57) Abstract 

A method for splitting digital signature algorithms is described that can increase 
the protection of the private key x of the user of an asymmetric key pair (x, y). In an 
initialization phase, the private key is split into private subkeys. The actual signature 
splitting method consists of two steps. In a first step (204), partial signature values are 
computed from the message m to be signed and the subkeys without using the initial 
private key x. In a second step (206), these partial signature values are combined to form the 
complete digital signature. To increase the security of the private key x, the private subkeys 
and the algorithms to compute the partial signature values can be stored and implemented 
on separate tamper-resistant devices. When a proper subset of the private subkeys becomes 
compromised, new private subkeys can be generated without having to change the original 
key pair (x, y). 
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Method for Signature Splitting to Protect Private Keys 

Technical Field 

5 

The present invention relates to a method and apparatus 
for generating a digital signature according to the pre- 
amble of the independent claims. 

10 Background Art 

In a Public-Key Crypto System (PKCS) each user has one or 
more key pairs (x,y) consisting of a private key x and a 
corresponding public key y (cf . Handbook of Applied Cryp- 

15 tography by A.J. Menezes, P.C. van Oorschot and S.A. 

Vanstone, CRC Press, 1997, ISBN 0-8493-8523-7). The pub- 
lic key is made available to all users of the PKCS in 
such a way that the authenticity of the link between a 
user - which is characterized by a distinguished name - 

20 and his public key is guaranteed. The private key x, how- 
ever, is kept secret and only the authorized user has ac- 
cess to x. 

Signature schemes that rely on a PKCS are e.g. RSA (cf . 

25 US 4 405 829), or ElGamal based signature schemes, such 
as the schemes of Schnorr (US 4 995 082) and Nyberg- 
Rueppel (cf. K.Nyberg, R.Rueppel, "Message Recovery for 
Signature Schemes Based on the Discrete Logarithm Prob- 
lem, " Designs, Codes and Cryptography, 7, 1996, pp. 61 - 

30 81) or the DSA, see FIPS 186 ("Digital Signature Stan- 
dard", Federal Information Processing Standards Publica- 
tion 186, U.S. Department of Commerce/N. I . S.T. , National 
Technical Information Service, Springfield, Virginia, 
1994) . These digital signature schemes provide methods 

35 for signing a digital message and verifying a digital 

signature. But they do not provide means for protecting 
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the private key. 

If an unauthorized party obtains a copy of the private 
key x, this party can form digital signatures and act as 
5. if it were the authorized user. Thus, it is crucial to 
securely protect the private key x and to avoid that x 
becomes compromised, e.g., by falling into the hands of 
an unauthorized party. 

10 The private key is usually protected by an access control 
system. In a simple access control system, the private 
key x is stored in encrypted format on a storage device 
and the private key is only made available if the correct 
password is provided. The security of an access control 

15 system depends on different factors such as the particu- 
lar access control mechanism, the encryption algorithm 
used, the device that performs encryption and decryption, 
and the storage device on which the private key is 
stored. Possible storage devices could be a diskette, a 

20 dedicated protected computer system or a tamper-resistant 
device such as a chip card or an electronic wallet but 
also a PC at home. 

There are different ways how the private key of a user 
25 can become compromised. The following threats may arise. 

(I) The access control is compromised. E.g., an unau- 
thorized party has obtained the password or succeeds to 
read the private key from the storage device. 

30 

(II) An authorized party is able to extract (parts of) 
the private key during the digital signature process from 
the device that performs the signature. 

35 (III) Information about the private key leaks out to an 

unauthorized party during the initialization and key dis- 
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tribution phase. 

(IV) The underlying PKCS and the corresponding digital 
signature scheme are broken. 

5 

Disclosure of the Invention 

The problem to be solved by the present invention is to 
increase the protection of the private key against at 
10 least one of the threats (I) -(III). This problem is 

solved by the method and apparatus according to the inde- 
pendent claims . 

The invention can in particular be used to increase pro- 
15 tection against threats (I) and (II) . It can also partly 
increase the protection against threat (III) depending on 
the key generation and key distribution model. 

The present invention makes use of a particular idea from 

20 Secret Sharing (cf. Chapter 12.7 in the textbook cited 
above), viz., the private key is split into two or more 
private subkeys . In contrast to Secret Sharing, the pri- 
vate subkeys need not be distributed to different enti- 
ties; in the present invention, the private subkeys can 

25 also be managed and used by the same entity. Thus, this 
invention is based on a different trust model than the 
one in Secret Sharing. Another important difference to 
Secret Sharing consists in the way that the subkeys are 
used. In the present invention, the subkeys need not be 

30 communicated to a dedicated entity to form the original 
private key x; instead, the subkeys are used to create 
partial signatures and these partial signatures are com- 
bined to form the full signature. Thus, when producing a 
digital signature, the private key x is never generated 

35 from the private subkeys. Moreover, the private subkeys 
cannot be effectively determined from the partial signa- 
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tures and, hence, even if an unauthorized party knows all 
partial signatures, the private key is not compromised. 

Brief Description of the Drawings 

5 

The invention will be better understood and 
objects other than those set forth above will become ap- 
parent when consideration is given to the following de- 
tailed description thereof. Such description makes refer- 
10 ence to the annexed drawings, wherein: 

Fig. 1 shows the steps of the subkey genera- 
tion phase for generating t private subkeys 

Fig. 2 shows the steps of the Signature 
Splitting Method using t=2 private subkeys 
15 Fig. 3 shows a possible hardware implementa- 

tion for a signature splitting scheme with t=2 private 
subkeys . 

Modes for Carrying Out the Invention 

20 

The present invention provides a method to split digital 
signatures into partial signatures and to combine these 
to generate the full original signature. The resulting 
scheme will be called a Signature Splitting Scheme (SSS) . 

25 

As a prerequisite, it is assumed that the private key x 
can be viewed as an element of a group X with group op- 
eration +, where 0 denotes the neutral element, and that 
the signature or a characteristic value s of the signa- 

30 ture lies in a monoid S with composition law *. Fixing a 
message m to be signed, the signature algorithm 2 defines 
a mapping a m from the key group X to the signature monoid 
S, namely, s=a m (x) , where s is the signature value that 
results from applying the signature algorithm E to m us- 

35 ing the private key x. It is further assumed that, for 

almost all allowed messages m, the mapping V|/ m defined by 
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V m < x > = cr m (x) * (a m (0) ) -1 , (1) 

where (O" m (0)) _1 denotes the inverse of a m (0), is a homo- 
5 morphism from X to S. 

In an initialization phase, which will be called Subkey 
Generation Phase, the private key x is split into two or 
more private subkeys x 2 , using a Shared Control 

10 Scheme as described in Chapter 12.7.1 in the textbook 
cited above. A splitting into t private subkeys is ob- 
tained by choosing t-1 uniformly random subkeys x-^, x 2 , 
. . . , x t-l ^ n the g r oup X and by requiring that the last 
private subkey x t satisfies the equation 

15 

x = + x 2 + . . . + x t . { 2 ) 

The private subkeys are separately stored and protected 
by separate access control systems. This concludes the 
20 initialization phase of the subkey generation. 

The signature splitting method makes use of the homomor- 
phism property 

25 ^m( x > = Vm( x l)* l l / I n(x2)*. • .*V m (x t ) - (3) 

The following steps are carried out: 

(i) For a message m to be signed, the value b=a m (0) , 
which is independent of x, is split into t subvalues b 1# 
30 b 2 , • . . , b t using a pre-defined splitting rule such that 
in the monoid S the following equation holds 

b = b x * b 2 * • • -* b t . (4) 

35 (ii) Using the private subkeys, the message m and the 
previously computed subvalues b^, the partial signature 
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values 

s i = V m < x i>*ki (5) 

5 are computed for i=l,2,...,t. 

(iii) Eventually, the partial signatures values are com- 
bined to form the signature value s, given by 

s = s l * s 2 * . . .* s t . (6) 

10 



Detailed Description for the Implemen tation of Signature 
Splitting Schemes 

15 

The goal of a SSS is to increase the protection of the 
private key x. To increase the protection against threats 
(I) and (II) , the private subkeys and the algorithms 
for the computation of the partial signature values s^ 

2 0 can be stored and implemented on separate tamper- 
resistant devices, which are under the control of the 
authorized user of the key pair (x,y) . The combining op- 
eration (6) , in the last step, can be performed on a 
dedicated device that reads in the partial signature val- 

25 ues and generates the output s. This dedicated device 

need not be necessarily under the control of the author- 
ized user; the combining operation can e.g. take place on 
the device of the receiver of the digital signature. 

30 A possible hardware implementation of a SSS is shown in 
Fig. 3 where t=2 private subkeys are used. In the key 
generation phase, the key pair (x, y) can be generated on 
a computer (shown as device 3 00 in Fig. 3) . This computer 
can also contain a program that executes the steps of the 

35 Subkey Generation Phase as described above and illus- 
trated in Fig. 1. E.g., the storing operation at step 106 
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in Fig. 1 will put the private subkeys and x 2 on the 
two separate chip cards 3 04 and 3 08 shown in Fig. 3. 

Suppose a message m obtained via the input interface 310 
5 (e.g. a keyboard) or via the network is to be signed by 
the user with key pair (x,y) using the computer 300 and 
the two chip cards 304 and 308, which carry the two pri- 
vate subkeys x^ and x 2 • The digital signature is per- 
formed by applying the steps of the signature splitting 

10 method described above and illustrated in Fig. 2. The 

mentioned computer sends the message m to the processors 
on the two chip cards 304, 308. In order to activate the 
partial signature computation (step 204 in Fig. 2) on the 
chip cards 3 04, 3 08, the user must enter the two pass- 

15 words for the two subkeys, which can be done via the key- 
board of the computer 300 or via two separate mini- 
keyboards that are installed on the chip cards or on the 
two chip card readers. After performing the computation 
of the subvalues (step 202) and the computation of the 

20 partial signatures (step 204), the two chip cards trans- 
fer the resulting partial signatures values s^ and s 2 to 
the mentioned computer. On this computer, the partial 
signatures values are combined to the signature value s 
and completed to the full signature in an appropriate 

25 format. It can then be transferred over a network 312 to 
a computer 314 of another user of the PKCS . 

Key Protection ancj, Subkey Re-ggneratjpn 

30 

Once the subkey generation is completed and all subkeys 
are stored on dedicated devices, the initial private key 
x need not be kept and stored in a SSS. Without private 
key x, direct attacks against the private key are no 
35 longer possible. Thus, in a SSS the private key can only 
be attacked via attacks against the subkeys. The Shared 



WO 00/49768 



PCTYIB99/00281 



Control Scheme described above has the following security 
feature: If the private key x is split into t private 
subkeys as specified in the initial Subkey Generation 
Phase, then x will not be compromised unless all t pri- 
5 vate subkeys are compromised because fewer than t subkeys 
give no information about the private key x. Thus, if the 
t subkeys are all stored on separate devices, it is about 
t times more difficult to obtain all subkeys than it 
would be to obtain the original private key, when no SSS 

10 is used. Therefore, a SSS can increase the protection 

against threat (I) by about a factor of t. A similar in- 
crease of the security of the private key x against 
threat (II) by a factor of t is obtained if all partial 
signatures values s 1# s 2 , s t are computed on t sepa- 

15 rate devices. 

If in a digital signature scheme the private key gets 
compromised, there is no way to recover without replacing 
the old key pair (x,y) by a new key pair (x',y') . This 
20 may have far reaching implications if the user of this 
key pair represents a particular trustworthy authority 
such as a certification authority of a public key infra- 
structure. When an SSS is used, such a mandatory replace- 
ment of the private key x can be circumvented provided 

2 5 that not all subkeys have been compromised. The following 

method for recovering from a partially compromised SSS by 
re-generation of new subkeys can be applied. 

Suppose that the private subkeys x i:L , x i2 , x iu , 
30 where u<t are compromised and that there exists a non- 
compromised private subkey x k . The SSS is fully recovered 
by re-generating u+1 new subkeys x' i;L , x' i2 , x'i u # 
x'fc, where u of these new subkeys are chosen uniformly 
random in the group X and the last new subkey is deter- 

3 5 mined by the equation 
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x 'il + x 'i 2 + -'- + x 'iu + x 'k = x il + x i2 + x ±u + 

x k . (5) 

This re-generation method can also be used to exchange a 
5 subset of the private subkeys if such a subkey replace- 
ment is required by a key management policy. 

Signature Splitting for the RSA Signature 

10 The Rivest-Shamir-Adleman (RSA) PRCS is based on the dif- 
ficulty of factoring a product n=p-q of two large prime 
numbers p and q (cf. US 4 405 829). Let Z<p (n) denote the 
ring of integers modulo (p(n) / where (p(n) = (p-l) (q-1) . The 
private key x is a randomly chosen invertible element of 

15 Z(p(n) and the Public key is given by n and the inverse y 
of x, i.e., y satisfies x-y=l mod (p(n) . The key group X 
consists of the additive group of Z(p( n ) / the signature 
monoid S consists of the multiplicative structure of the 
ring Z n and for a given message m in Z n , the mapping a m 

20 is defined by 

a m (x) = m x mod n . 

In particular, a m (0)=l and, therefore, the mapping y m de- 
25 fined in (1) coincides with a m . This allows to simplify 
the signature splitting method by skipping the splitting 
step of the value b=a m (0) as given in (4) . Note that 
\|/ m =a m is a homomorphism if and only if m is relatively 
prime to n, which is true for almost all m. If m is not 
30 relatively prime to n, then m can be used to break this 

RSA PRCS, i.e., an attacker can factor n efficiently. But 
even in the case that m is not relatively prime to n, the 
splitting scheme still functions properly, i.e., (3) al- 
ways holds for every splitting of x as given in (2) be- 
3 5 cause x is relatively prime to (p(n) . 
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Signature Splitting fpr the ElGamal Signature and the PSA 

5 ElGamal based signature schemes rely on the difficulty of 
the discrete logarithm problem (cf . Chapter 11.5 in the 
textbook cited above) . In the original ElGamal signature 
scheme, a large finite field GF(q) and a primitive ele- 
ment £ of GF(q) are given. Each user randomly chooses his 

10 private key x in the additive group of X = Z q-1 

forms his public key y=& x in GF (q) . Let h denote a suit- 
able hash function and let h(m) , 0<h(m)<q-l, denote the 
hash value of a message to be signed. The signature for 
m, consisting of the pair (r,s), is obtained by carrying 

15 out the following steps. 

(a) Compute r=S k in GF (q) , where k is a randomly chosen 
element of Zq_ lr which is relatively prime to q-1. 

(b) Solve for s in the congruence 

20 

h(m) = x-h(r) + k-s mod (q-1) . 

The signature value s lies in the signature monoid S = 
z q-l' which is actually a group. The signature mapping a n 
25 is given by 

s = a m (x) = k^ 1 -(h(m) - x-h(r)) 

and the message dependent value b equals a m ( 0 ) ^k"* 1 • h (m) . 

30 In an ElGamal based SSS, step (a) , which does not depend 
on the private key x, is performed as in the ElGamal 
scheme and the signature splitting is applied to step 
(b) . In this setting, where X = S, a possible splitting 
rule for the message dependent value b is given by the 

35 splitting rule for the private subkeys as specified in 
the Subkey Generation Phase. 
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The DAS of the DSS as described in FIPS 186 ("Digital 
Signature Standard", Federal Information Processing Stan- 
dards Publication 186, U.S. Department of Com- 
5 merce/N. I . S .T. , National Technical Information Service, 
Springfield, Virginia, 1994) is based on the ElGamal 
scheme. For the DSA it is assumed that q is a large prime 
and that there is a prime u in the range 2 15 ^ < u < 2 160 , 
which is a divisor of q-1. Moreover, P e GF(q) is assumed 
10 to be a generator of the unique cyclic subgroup of order 
u in the multiplicative group of GF(q) . Similarly as in 
the ElGamal scheme, the signature of a message m consists 
of the pair (r, s), where 

15 r = (P k mod q) mod u 

and 

s = k" 1 (h(m) + x- r ) mod u . 

Hence, the signature splitting can be carried out in a 
20 similar way as in the ElGamal scheme. 

Signature Splitting £gr the Sctmprr Signature 

The Schnorr signature scheme (US 4 995 082) is a variant 
25 of the ElGamal scheme. As a new idea, instead of being a 
primitive element in GF (q) , £ is now a generator of a 
large subgroup of the multiplicative group of GF (q) . 
Thus, £ generates a group isomorphic to Z u , where u di- 
vides q-1. The key pair (x,y) is defined as above, i.e, 
30 y=£ x where x is an element of the key group X = Z u . 

Moreover, to reduce the message length a hash function h 
is used. 

The signature for m, consisting of the pair (e,s), is ob- 
3 5 tained by carrying out the following steps. 
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(a') Compute r=fc k in GF(q), where k is a randomly chosen 
element of Z u . 

(b 1 ) Form the concatenation m| |r of m and r and compute 
5 the hash value e=h(m| |r) . 

(c 1 ) Compute the signature value 

s = o~ m (x) = x-e + k mod u . 

10 

The signature value s lies in the signature monoid S = 
Z u , which is actually a group. The value b equals a m (0)=k 
and, thus, does not depend on m. This value can be split 
into subvalues b i =k i using the method of the Subkey Gen- 
15 eration Phase for the group S = Z u . Since k is random, 

one can generate this random value by randomly selecting 
the subvalues k^ and by setting 

k = k-L + k 2 + . . . + k t . (7) 

20 

In a Schnorr based SSS, the splitting method can be ap- 
plied to step (a 1 ), i.e., one computes the pairs (k^r^) 
separately, where r i =fi ki for i=l,2, t. To carry out 

step (b) , one needs only the values and the message m 
25 as input. The hash value e is computed as above using the 
product r = r 1 -r 2 - . . . -r t (in GF(q)). In step (C), the 
partial signature values s^=x^-e+k^ mod u are computed 
separately before they are combined to form the signature 
value s . 

30 

Note that in this Schnorr based SSS, the random elements 
k^ can be generated and kept on the same separate storage 
and computing devices as the private subkeys x^ and these 
elements never need to leave these separate devices. 

35 

Signature Splitting for the Nvbera-Rueooel Signature 
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The Nyberg-Rueppel signature scheme (cf . K.Nyberg, 
R.Rueppel, "Message Recovery for Signature Schemes Based 
on the Discrete Logarithm Problem, 0 Designs, Codes and 
5 Cryptography, 7, 1996, pp. 61-81) is another variant of 
the ElGamal scheme, where GF (q) is a prime field, i.e., q 
is a prime. As in the Schnorr scheme, the key group X 
consists of a large subgroup Z u , where u divides q-1. The 
key pair (x,y) is defined as in the Schnorr scheme. In- 
10 stead of a hash function, a redundancy function p is 

used, which is applied to a set of allowed messages. A 
message m from this set is signed by carrying out the 
following steps. 

(a'') Compute the redundancy value m'=p(m). 
15 (b'') Compute r=£~ k in GF (q) , where k is a randomly cho- 
sen element of Z u . 
(c 1 ') Compute e=m' -r in GF(q) . 
(d' 1 ) Compute the signature value 

2 0 s = a m ( x ) = x*e + k mod u . 

The signature consists of the pair (e,s). In a Nyberg- 
Rueppel based SSS, step (a 11 ) is performed as is. The 
splitting method is applied to both step (b' ') and (d* ') . 

25 In step (b 11 ), one uses the splitting method for the ran- 
dom element k as described in the Schnorr based SSS (cf . 
equation (7) ) and generates the pairs (k^, r^) , where 
r^=£~ k i . In Step (c ,f ), the value e is computed from m 
and the values r^ using the product r = ^i' r 2' • * ■ " r t ^ n 

30 GF (q) ) . In step (d* ' ) , the partial signature values 

s^x^-e+kjL mod u are computed separately before they are 
combined to form the signature value s . 



35 



Signature Splitting for Ellipti c Curve Based Signatures 
ElGamal based digital signatures schemes can also be de- 
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fined over elliptic curves. Instead of considering the 
multiplicative group of GF (q) , one considers a large cy- 
clic subgroup U of an elliptic curve C, which itself 
forms a group with additive group operation • . The sub- 
5 group U is generated by some generator S, which is a 

point of the elliptic curve C. Let u denote the order of 
the subgroup U. The mapping of the integers Z onto U 
given by assigning to an integer i the i-fold 'sum' 
i*&= (&•&«... •&) induces an isomorphism from Z u onto U. 
10 For ElGamal based digital signature schemes over elliptic 
curves, one can apply the signature splitting method in a 
similar way as for the ElGamal based schemes above. E.g., 
the key group is X = Z u and the signature monoid S also 
equals Z u . 

15 

Secre t Sharing and Signature Splitting 

Instead of using a simple Shared Control Scheme as de- 
scribed above, more general Secret Sharing Schemes can be 

2 0 applied, where a secret x is shared by e.g. 4 persons and 

whenever 2 of these 4 persons put together their shares 
x if they can reconstruct the secret x. These more general 
type of Secret Sharing Schemes can be combined with sig- 
nature splitting if the group operations that are used 
25 are compatible with those of the underlying signature 
scheme. 

Consider e.g. an RSA PKCS with n=p-q and a key pair 

(x,y) . The secret sharing scheme given in the first exam- 

3 0 pie in the paper "On Secret Sharing" by E.D. Karnin, J.W. 

Green and M.E. Hellman (in IEEE Trans, on Information 
Th., Vol. 29, No. 1, Jan 1983, pp. 35 - 41) can be 
adapted to work for signature splitting. To this end, the 
condition C3 ) of the mentioned paper is dr opped . 

35 



The Subkey Generation Phase consists of two steps. In a 
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first step, the private key x is split into x=ui+u 2 mod 
cp(n) . In a second step, the secret (ui,u 2 ) is divided 
into 4 shares 

x l = ( u 3< u 4) ' 
5 x 2 = (U2+U2+U3 ,u 2 +u 4 ) , 

x 3 = (u 2 +u 3/ u 1 +u 4 ) , 
x 4 = (u 1 +U3,U2+u 3 +u 4 ) 
where + denotes addition modulo cp(n) and where U3 and u 4 
are randomly chosen. Eventually, the 4 shares are stored 
10 on separate devices . 

For a message m, the signature splitting is characterized 
by the pairs of partial signature values 

15 b ± = (m xil , m xi2 ) mod n 

where x^ denotes the first and x^ 2 ttie second component 
of . From any 2 of the 4 partial signature pairs - 
when combining their components suitably - one can com- 
20 pute 

s = (m ul , m u2 ) mod n . 

The final signature value is obtained by multiplying the 
25 two components of s, i.e., s=m ul -m u2 mod n. 

The above can be generalized as follows. A t-out-of-w Se- 
cret Sharing Scheme, where the secret x is split into w 
shares x^ lying in a subkey group X' with group operation 
30 +', can be characterized by requiring that there exist 
reconstruction functions ^ii±2'*'^-t ^ rom t * ie t-fold di- 
rect product X'xX'x...xx' into the key group X for any t- 
element subset i^, i2 * • • - * such that x = 

f iii2 * * *it (x il /X i2' ' ' * ' x it J * Suppose that fi 1 i 2 —-it : is a 
3 5 homomorphism and that the partial signature values s^ are 
contained in a monoid S' with composition law *'. Define 
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a homomorphism gi 1 i 2 ---i t from the t-fold direct product 
S'xS'x...xS' into the signature monoid S, which is de- 
rived from f iii2---i t bv replacing the group operations 
+' and + by the composition laws *' and *, respectively. 
5 The Secret Sharing Scheme is compatible with the signa- 
ture scheme if, for almost all messages m, there exists a 
homomorphism \j/' m from the subkey group X' to the monoid 
S' that is compatible with \|/ m , i.e., for every t-tuple 
v 1 ,v 2 ,...,v t in X'XX'X...XX' the following equation in S 
10 must hold 



Vm< f iii2- ■ 'it (v l v t } )== 

g ili2'-it (V ' /, m( v l) M>' m < v t>>- 

15 For such a compatible Secret Sharing Scheme, one can gen- 
erate the partial signature values Si = vi/'mfxi) * ' lo^ in 
the partial signature monoid S' , where the b i# 
i=l,2,...,w, are elements of the partial signature monoid 
S' such that 



20 



25 



9ili2' ■ 'it (b il' b i2 b it ) =a m<°>- 

The combining operation, which generates the signature 
value s out of any t partial signatures, is given by 



s - g iii2 " * * it * s il' s i2 ' * " ' ' s it ' * 



While there are shown and described presently preferred 
embodiments of the invention, it is to be distinctly un- 
30 derstood that the invention is not limited thereto but 
may be otherwise variously embodied and practiced within 
the scope of the following claims. 
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Claims 

1. A method for generating a digital signature comprising 
a signature value s = a m^ x ^ using a signature algorithm Z 
5 and a private and public key pair x,y for a message m, 

wherein x is an element of a group X with group operation 
+, where 0 denotes the neutral element, and the signature 
value s is an element of a monoid S with composition law 
* and wherein the map y m defined by \p m (x) = 
10 a m (x) * (a m (0) ) -1 is a homomorphism from X to S for almost 
all messages m, 

said method comprising the steps of 

providing w > 2 private subkeys x^ , X2 , . . . / x w in a 
subkey group X' with group operation +' such that said 
15 private key x can be reconstructed from any subset of at 
least t, 2<t<w, subkeys xj^, Xj^,..., x^ fc using x = 

f ili2 " ' ' it < x ii' x i2' * • • ,x it* ' 

using said subkeys for generating partial signature 

values s^ = V'm^ x i^ *' ^i i n a partial signature monoid 

20 S' 

and generating said signature value s from any t 
partial signatures using s = 9i±X2 ' ' " it * s il ' s i2 ' * " * ' s it * ' 

wherein fi2i2'--i t i s a homomorphism from the t- 
fold direct product X'xX'x. . .xx' into the key group X and 

25 9iii2'**it "*" s a h° momor Pki sm from the t-fold direct prod- 
uct S'xS'x. . .XS' into the signature monoid S, which is 
derived from f i^i2 • • - i t replacing the group operations 
+ ' and + by the composition laws *' and *, respectively, 
where the b^, 1 = 1,2,... ,w, are elements of the par- 

30 tial signature monoid S' such that 

Siii2' * -it (b il' b i2' # ■ ■ ' b it } = a m (0) ' 

and where, for almost all messages m, \|f' m is a ho- 
momorphism from the subkey group X' to the partial signa- 
ture monoid S' compatible with \|/ m , i.e., for every t- 
35 tuple v 1# v 2 ,...,v t in X'xX'x...xX' the following ecjuation 
in S must hold V m < f iii2' ■ it (v l' * * * ' v t> )= 
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9ili 2 - • -it^'m^l) V'm< v t> > • 

2 . The method of claim wherein said signature scheme is 
the RSA signing algorithm. 

5 

3. The method of claim 1 wherein said signature algorithm 
Z is the ElGamal, the DSA of the DSS, the Schnorr or the 
Nyberg-Rueppel signature algorithm over the originally 
specified groups or over subgroups of an elliptic curve. 

10 

4. The method of one of the preceding claims wherein said 
step of generating said partial signature values 
s l' s 2'---' s w is carried out in a secure environment and 
said step of generating said signature value from said 

15 partial signature values is carried out in a non-secure 
environment . 

5. The method of one of the preceding claims wherein 
X'=x, S'=S, V' m =y m and t=w and where f 12 m t (x X/ . . . , x t ) = 

20 X-L+X2+. . .+x t and g 12 . m . t < s l' • • -*s t ) = s ± *s 2 * . - .*s t . 

6. The method of claim 5 comprising the step of generat- 
ing a new set of subkeys {x' i± , x' ±2 , . . . , x' ^ , x' k } from 
said subset and at least one non-compromised subkey x in 

25 case that a proper subset {x ±1 , x ±2 , . . . , x iu > of said 
subkeys is compromised or to be replaced. 

7. The method of claim 6 wherein said new set of subkeys 
is generated such that x' i x +x' i2 + . . ,+x' i u +x' k = 

30 x il+ x i2 +. . .+x ±u +x k . 



8. The method of one of the preceding claims comprising 
the step of storing at least one of said subkeys x^ sepa- 
rately on a tamper-resistant device. 
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9. The method of claim 8 wherein said tamper-resistant 
device is a chip card. 

10. The method of one of the claims 8 or 9 wherein said 
5 step for generating the partial signature values s^ = 

Vm^i'^i ^ s carried out in said tamper-resistant de- 
vice . 



10 



11. An apparatus for generating a digital signature com- 
prising means for carrying out the method of one of the 
preceding claims. 
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